General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Under GDPR, employers are entitled to monitor employee activity if they have a lawful basis for doing so and the purpose of their monitoring is clearly communicated to employees in advance.
Due to the imbalance of power in the employer-employee relationship, employers can no longer rely on consent to process employee data. For businesses, the most appropriate grounds will most likely be the legitimate interest of the employer (data controller).
There are many legitimate business reasons why employers monitor employees using CCTV. Lawful bases of monitoring include keeping employees safe and secure by preventing crime, preventing employee misconduct, ensuring compliance with health and safety procedures, monitoring and improving productivity, and in some cases such as the financial services sector, complying with regulatory requirements.
Employers generally rely on legitimate interests as an appropriate legal basis for processing personal data – it entails organisational accountability and enables the responsible uses of personal data, while protecting employees' data privacy rights.
Employers relying on legitimate interests as the legal basis for processing need to consider the legitimacy of their stated interest (and potentially the interests of third parties) and must balance that interest against the interests, rights and freedoms of their employees. In addition, employers also need to apply safeguards and compliance steps to ensure that employees' rights are not prejudiced in any given case. Should an employee object to the use of CCTV cameras in a particular area, the new GDPR test will place the burden on the employer to demonstrate that it has “compelling legitimate grounds” for processing that override the employees' rights, or for the establishment, exercise or defence of legal claims.
Employee monitoring by CCTV surveillance should be confined to areas where the risk of infringing employees' privacy rights are low. The use of CCTV cameras that constantly monitor a select group of employees in a particular area are more likely to be deemed intrusive than those that monitor all employees in a general entrance area.
The purpose of CCTV should be clearly communicable to employees by way of Privacy Notice. In line with the GDPR requirements, employers are under a duty to employees to make this clear and unambiguous. The general assumption for CCTV usage in the workplace is for security purposes, but the use for monitoring employee performance or conduct is not an obvious reason. Therefore, employees must be clearly given notice prior to having their personal data recorded for this purpose. The same approach to notice must be adopted if the purpose of CCTV surveillance is also for health and safety reasons.
What's the risk of CCTV 'profiling' under the GDPR?
Under Article 35 GDPR, any excessive use of CCTV monitoring to profile employees is considered "high risk" profiling in line with guidance issued by the Article 29 Working Party. This requires a Data Protection Impact Assessment (“DPIA”). A DPIA considers whether the surveillance is necessary and proportionate to what an employer is seeking to achieve in light of the risks to the rights of data subjects, including consideration of any safeguards or security measures that the controller will put into place.
López Ribalda and others v Spain
A recent judicial decision of the European Court of Human Rights ("ECtHR") has reinforced the importance of applying the proportionality principle under the current Data Protection Directive when assessing the lawfulness of using CCTV surveillance to monitor employees. The ECtHR hears matters concerning The European Convention on Human Rights (ECHR), an international treaty that protects human rights and fundamental freedoms in Europe.
The ECtHR decision in López Ribalda and others v Spain held illegal an employer's covert use of video surveillance in a chain of Spanish supermarkets and reaffirmed the principles of transparency, proportionality and lawful monitoring.
The background to the case concerned five supermarket workers who were being monitored by their employer for the purposes of investigating possible theft. The employer installed both visible and hidden cameras and communicated notice to its workers about the visible cameras only. Thus unaware of the covert cameras, all the workers suspected of theft were shown video footage capturing their involvement in misappropriating the employer's goods. The five employees admitted involvement in the thefts and were dismissed on disciplinary grounds.
In the case before the ECtHR, the employees argued that the use of the covert video evidence in the unfair dismissal proceedings had infringed both their privacy rights and their right to a fair trial under the ECHR. The court rejected the fair trial claim but upheld the employees' privacy claim finding that the Spanish courts had failed to strike a fair balance between the employees' right to respect for their private life and the employer's interest in protecting its property. The majority of the bench found that the employer’s rights could have been safeguarded if they had notified their employees in advance of the covert cameras.
This case involved a family-owned chain of supermarkets. Other questions may be raised where a company does not have control or access to the CCTV systems in place, for example, where a premises is rented and the landlord is the processor.
What should employers consider?
Employers should take into account the new GDPR requirements if they plan to install CCTV cameras for any purpose. The rights of employees, potential customers and other parties should be addressed, bearing in mind that monitoring may only be undertaken if there is a lawful basis for doing so. Employers should remember that any personal data collected must be used and kept only to fulfil its original purpose, and GDPR-compliant Notice must be prominently displayed.
It is advisable for employers to draft a series of data protection policies relating to the use of CCTV cameras. These policies should address the purposes for which the CCTV surveillance is being carried out, the conditions in which monitoring will take place, the nature of the monitoring, how individuals' personal data obtained will be used, how long the footage will be retained, as well as the impact on individuals' rights.
Employers should ensure that they put prominent and adequate signage in areas where CCTV cameras are installed. Employers should also to put in place appropriate technical and organisational measures to mitigate any risk posed to an employee’s privacy rights in the event of a data breach, as required by GDPR. CCTV systems are inherently vulnerable to cyber-attacks when connected to the Internet or the cloud, and the security and privacy of the data held is best ensured by restricting access to them and having robust systems in place to prevent internet-borne attacks like spyware or malware.
In closing, an employer's use of CCTV in the workplace can raise complex legal issues in light of the new GDPR requirements, depending on the purpose of the surveillance. Where the proportionality of the processing is not clear, specialist legal advice is recommended to ensure that the usage is GDPR-compliant.